The issuer of the response does not match to the identity provider we sent the request to
1,005 views
Skip to first unread message
tobias_2
Feb 3, 2014, 5:57:30 AM2/3/14
to simple...@googlegroups.com
I am trying
to setup simpleSAMLphp as an SP with a shibboleth IdP.
When I test the “deault-sp” authentication source I get redirected to my shibboleth
installation and can login. But then I get this simpleSAMLphp Error:
Caused by: SimpleSAML_Error_Exception: The issuer of the response does not match to the identity provider we sent the request to.
The expected issuer is https://sso.mydomain.net/idp/profile/SAML2/Redirect/SSO“. But the issuer in the response is: “http://sp.mydomain.net/simplesaml/module.php/saml/sp/metadata.php/default-sp.Somehow the requester and the issuer goz mixed up. Where could be the problem? I the “saml20-idp-remote.php” I have https://sso.mydomain.net/idp/profile/SAML2/Redirect/SSO as the IdP-ID.
I the Shibboleth config (relying-party.xml) I have http://sp.mydomain.net/simplesaml/module.php/saml/sp/metadata.php/default-sp SP-ID. Any help is much appreciated. Regards,TobiasPeter Schober
Feb 3, 2014, 6:23:51 AM2/3/14
to simple...@googlegroups.com
* tobias_2 <tobi...@outlook.com> [2014-02-03 12:09]:
No
> But the issuer in the response is:
> “http://sp.mydomain.net/simplesaml/module.php/saml/sp/metadata.php/default-sp.
That's your error.
Regarding the former: Unless you explicitly changed your Shib IDP's
entityID to that value this is not (and should not be) your
entityID. The installer defaults to
https://sso.mydomain.net/idp/shibboleth (using your example).
There's on reason to change this string to a protocol endpoint, in
fact this reeks of confusion.
As for the latter: If you find what clearly is the entityID of the SP
in protocol messages as the issuer's entityID, it can only be becuase
you made it the IDP's entityID.
(Mostly by changing random stuff in the config you don't fully
understand, instead of using the documentation).
> Where could be the problem?
KEBKAC?
> I the “saml20-idp-remote.php” I have https://sso.mydomain.net/idp/profile/SAML2/Redirect/SSO as the IdP-ID.
I doubt that's correct but technically anyURI would work.
I would suggest to not change the software's defaults randomly as
(Q.E.D.) this only serves to confuse yourself.
> I the Shibboleth config (relying-party.xml) I have
> http://sp.mydomain.net/simplesaml/module.php/saml/sp/metadata.php/default-sp
> SP-ID.
That fully depends on what specifically you did in that config
file (as there are places where you can legitimately set specific
options for specific SPs in relying-party.xml, which would hence take
the SP's entityID as a value).
From the results you get it's safe to assume you set the SP's entityID
as "provider" in one of the *RelyingParty elements, hence making it
the IDP's own entityID.
Also not an issue for this list but a misconfigured Shibboleth IDP.
-peter
No
> But the issuer in the response is:
> “http://sp.mydomain.net/simplesaml/module.php/saml/sp/metadata.php/default-sp.
Regarding the former: Unless you explicitly changed your Shib IDP's
entityID to that value this is not (and should not be) your
entityID. The installer defaults to
https://sso.mydomain.net/idp/shibboleth (using your example).
There's on reason to change this string to a protocol endpoint, in
fact this reeks of confusion.
As for the latter: If you find what clearly is the entityID of the SP
in protocol messages as the issuer's entityID, it can only be becuase
you made it the IDP's entityID.
(Mostly by changing random stuff in the config you don't fully
understand, instead of using the documentation).
> Where could be the problem?
> I the “saml20-idp-remote.php” I have https://sso.mydomain.net/idp/profile/SAML2/Redirect/SSO as the IdP-ID.
I would suggest to not change the software's defaults randomly as
(Q.E.D.) this only serves to confuse yourself.
> I the Shibboleth config (relying-party.xml) I have
> http://sp.mydomain.net/simplesaml/module.php/saml/sp/metadata.php/default-sp
> SP-ID.
file (as there are places where you can legitimately set specific
options for specific SPs in relying-party.xml, which would hence take
the SP's entityID as a value).
From the results you get it's safe to assume you set the SP's entityID
as "provider" in one of the *RelyingParty elements, hence making it
the IDP's own entityID.
Also not an issue for this list but a misconfigured Shibboleth IDP.
-peter
Peter Schober
Feb 3, 2014, 6:27:15 AM2/3/14
to simple...@googlegroups.com
* Peter Schober <peter....@univie.ac.at> [2014-02-03 12:23]:
> KEBKAC?
PEBKAC, before someone else plays human spellchecker,
-peter
> KEBKAC?
PEBKAC, before someone else plays human spellchecker,
-peter
Reply all
Reply to author
Forward
0 new messages